Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah

DustinB3403

TeamViewer maybe?

I'm honestly just not sure how and where a risk like this could be spread so quickly. Unless there was something so blatantly obvious that it's borderline intentional to have caused this.

@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

No idea. Maybe VPNs for remote management. That's the most common vector for this. Or we've heard that unpatched ConnectWise is a popular target for it too.

Yeah those are possibilities.

Their website says "Protek provides unlimited onsite and remote support from local certified technicians." meaning some type of remote access.

I'm curious if they kept all of their client passwords in an unprotected excel spreadsheet too. . .

scottalanmiller

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

TeamViewer maybe?

I'm honestly just not sure how and where a risk like this could be spread so quickly. Unless there was something so blatantly obvious that it's borderline intentional to have caused this.

Doesn't necessarily have to spread quickly. Might have taken its time and triggered all at once.

DustinB3403

Oh right on their website

https://protek.screenconnect.com/

scottalanmiller

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

Their website says "Protek provides unlimited onsite and remote support from local certified technicians." meaning some type of remote access.

We know that they do remote management, but that's all that we know.

coliver

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

Oh right on their website

https://protek.screenconnect.com/

Hosted Screenconnect. That should have been patched by Connectwise.

Reid Cooper

What would MSPs do in a situation like this? It must be case by case, but do you pay the ransom and hope that the data really gets unlocked? That's a huge risk.

If they have good backups and processes, hopefully they don't need to pay the ransom. But it doesn't sound like they do if they have been down for so long and are not progressing yet.

scottalanmiller

@coliver said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

Oh right on their website

https://protek.screenconnect.com/

Hosted Screenconnect. That should have been patched by Connectwise.

Good catch. Might just be one of many tools that they use, though.

DustinB3403

It's funny how their website is setup. Each portal is different from the last, none that are remotely similar.

Just as a customer that would raise a red flag for me when having been through the selection process. Something else is that all of their support pages make the boast that "local certified support".

Which, no problem, everyone needs to eat. But what if a bus just happens to come crashing through your office. All support is gone.

Throw some global support options in there. Especially since they have ScreenConnect. Literally 0 reason to require local on-site only staff.

LilAng

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

It's funny how their website is setup

You should see the get to know us page and hover over the pictures.

DustinB3403

@coliver said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

Oh right on their website

https://protek.screenconnect.com/

Hosted Screenconnect. That should have been patched by Connectwise.

Yeah, but still wouldn't do anything to prevent bad password policy.

RojoLoco

@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.

DustinB3403

@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.

And taking and testing backups is literally one of the things that they say they do!

So to have taken this long to get up and running means either they are lying about their capabilities, their backups were hit as well or that they've never taken any backups!

RojoLoco

@DustinB3403 ransomware can't hit those air-gapped, offsite backups... oh, wait.

Obsolesce

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

TeamViewer maybe?

I'm honestly just not sure how and where a risk like this could be spread so quickly. Unless there was something so blatantly obvious that it's borderline intentional to have caused this.

@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

No idea. Maybe VPNs for remote management. That's the most common vector for this. Or we've heard that unpatched ConnectWise is a popular target for it too.

Yeah those are possibilities.

Their website says "Protek provides unlimited onsite and remote support from local certified technicians." meaning some type of remote access.

I'm curious if they kept all of their client passwords in an unprotected excel spreadsheet too. . .

Anything using a username and password is an easy target. It's just a matter of social engineering via email or phone, or many other possibilities such as a fake URL to somewhere that looks legit, a trojan, etc...

scottalanmiller

@DustinB3403 said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

It's funny how their website is setup. Each portal is different from the last, none that are remotely similar.

Just as a customer that would raise a red flag for me when having been through the selection process. Something else is that all of their support pages make the boast that "local certified support".

Which, no problem, everyone needs to eat. But what if a bus just happens to come crashing through your office. All support is gone.

Throw some global support options in there. Especially since they have ScreenConnect. Literally 0 reason to require local on-site only staff.

I think it makes more sense if you dig into their profiles and realize that they are a desktop break/fix firm primarily. So I suspect most of their work is done physically.

scottalanmiller

@RojoLoco said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

@Reid-Cooper I would NEVER hire or even consider an MSP that paid a ransom. That means they are incapable or unwilling to make and test backups, so that's a hard no.

I wouldn't go that far. MSPs don't get to make those decisions. It is their customers who choose if they get to have and/or test backups. MSPs can (and should) suggest it, but they don't get to make the final call.

Now, that said, if the MSP recommended it and it wasn't done, why would the MSP pay the ransom anyway? That suggests that the MSP is at fault, for sure.

1337

@scottalanmiller I've seen entire LANs hit by ransomware and it's tough getting it back up because everything is either down by the ransomware or by choice (to avoid it getting worse).

So your machine will not get an IP address because DHCP is down, you can't log in because AD is down, you can't access backups even if you have them because of the above and DNS is down. And often firewalls and WAN links have been shut down as well. PBX will be down, O365 can't be accessed. Where did we put the emergency plan?

There are a lot of interdependencies among services that you don't always realize until you have to. So you have to start slowly and unravel everything from one end to the other. It takes A LOT of time.
For one enterprise I know of it took months and the cost was billions.

proteksupport

@scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.

I don't know where you got such information from, but this is simply not true.

DustinB3403

@proteksupport said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

I don't know where you got such information from, but this is simply not true.

That's easy to say without having any proof to back it up. Are you secretly Donald Trump?

Also welcome to the community

proteksupport

This post is deleted!